A mistaken double post? From Da Boss?! Or a not-so-subtle message about MS-DEFCON 2 & to DANG IT, Turn off Automatic Update!? BTW, love this Keystone Kops pic, especially the cross-eyed Chief.

• This reply was modified 8 months, 1 week ago by  WildBill.

1 user thanked author for this post.

Cascadian

Great picture, Woody!

All I can say is, Whew! I got all of my Windows machines and virtual machines updated while we were still at MS-Defcon 3!

woody wrote:

… The chief in the Keystone Kops pic? That’s me, right now.

Well, if you choose to run both WordPress and Windows, that’s only a logical consequence!

1 user thanked author for this post.

woody

Has anyone tried this tool? https://www.sordum.org/9470/windows-update-blocker-v1-0/comment-page-1/#comments  Any thoughts?

anonymous wrote:

Has anyone tried this tool? https://www.sordum.org/9470/windows-update-blocker-v1-0/comment-page-1/#comments Any thoughts?

I mentioned this program at Methods for stopping Windows 10 updates that work on all editions and builds.

I have Windows 7 64 bit and am still in Group B.  Can you please tell me how important are .NET Framework updates?  You warned in a recent article about possible problems with them and fortunately for me up until the recent updates I did not have any problems until the last .NET Framework update I did on 2-6-18.  In fact both on my laptop and desktop pc some things went a little haywire although the laptop straightened out somehow and starting working correctly.  However on my desktop pc I had to rollback back to a few days before that .NET Framework update (I think it was KB4033342 that has reappeared) and then it seemed to work OK after that.  As soon as I got through that I ran Windows updates again and had a whole lot more updates to do all published 1-18-18 including a few more .NET Framework updates and a whole bunch more security updates for Microsoft Office only I still have 2007.  Truthfully I’m afraid to download any more .NET Framework updates because I don’t want to go through what I just did last week and cause even more problems on my pc.  Any advice please?

I’m no security expert, but in all fairness to them, my experience with my small break and fix shop is that I found the majority of my clients couldn’t grasp the concept of delaying updates for a couple weeks or more. I’ve spent hours explaining how and why, but it just doesn’t click in my average users – young and old.

Just last week I remoted into a client (for another issue) that we had setup to check for updates and notify over a year ago and not 1 update has been applied.

When I asked her why she hadn’t updated she stated she was afraid to. She might be forced into Windows 10 again, she didn’t know when was a good time, it was never convenient.

Found the same thing years ago with XP. At that time I put everyone on automatic until the Win10 fiasco. Now I’m back to setting them up for automatic with the deferral dates set in Win10.

Sweety407 wrote:

When you say let the new versions sit for a while are you talking a few weeks, the next month or a few months. After I did the updates when Woody said it was time, my monitor went completely blank (the pc was still on) and I had to go into safe mode to roll it back a little so I don’t really know what caused that. I thought it was the .NET Framework update for some reason and maybe it was something else.

There were a lot of problems with this month’s patches. It may not have been the .NET that got you – more probably the Win Monthly Rollup. Just sit thight and don’t install the Feb patches till DEFCON-3. There may be more problems ahead.

As for new versions – I like to let them sit for several months. .NET is not something most people have to rush. There were problems with Win7 when v4.7 first came out. Let someone else be the Guinea Pig!

4 users thanked author for this post.

walker, SueW, Cascadian, JDeC

RE: ” If there’s anybody in the industry who’s still spreading that kind of hooey, I want to know who and why.”
Back on 1/9, no less than Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute, posts, “So better get patching.”
https://isc.sans.edu/forums/diary/Microsoft+January+2018+Patch+Tuesday/23217/

I get my FlashPlayer updates at this site, Security Garden, But don’t agree with the Comment #3 at the bottom of this particular page “No, do NOT disable Windows Update as missing critical security updates could indeed have serious repercussions. ” Corrine is a Windows Insider/ MVP so…

https://securitygarden.blogspot.com/search/label/Windows%207

Sweety407 wrote:

… Any advice please?

Do not check any boxes that are not preselected by WU, unless you have a specific reason for doing so. Or, do not get items from the catalog that you do not specifically want.

In shorter, older words, do not fix what is not broken.

• This reply was modified 8 months, 1 week ago by  Cascadian. Reason: typo fix

3 users thanked author for this post.

walker, Elly, JDeC

better add: Windows Update is turned off ALL the time on my win7 😉

Just asking for a quick clarification, since I guess I’ll have to install the January patches this week at least, along with this month’s, since they include RCEs: Is it all right to set the registry entries to disable the Meltdown and Spectre fixes before installing that patch? And will that make those parts of the patch never trigger in the first place, to be sure I won’t have to worry about either conflicts/bugs or slowdown until I see a serious reason to apply them but get the benefit of any other patches in that bundle and avoid issues possibly caused by installing that after some later Group B patches?

anonymous wrote:

Is it all right to set the registry entries to disable the Meltdown and Spectre fixes before installing that patch?

Yes. See Q10 at https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.

Are the January patches ever likely to reach defcon 5?

anonymous wrote:

Are the January patches ever likely to reach defcon 5?

The DEFCON rating is about whether it is safe to patch and what precautions need to be taken. It is about waiting to see where the problems are with each patch. The DEFCON rating for January was raised to 3 as an indication that the problems with each patch were, for the most part, known and patching could be done considering the cautions and precautions.

The individual patches do not have a DEFCON rating. Once the January DEFCON goes to three, those patches problems are known and they can be always be installed (or not installed) with the known caveats.

1 user thanked author for this post.

Cascadian

MS patch Tuesday list over at Martin Brinkmanns Ghacks..wow he is quick!

https://www.ghacks.net/2018/02/13/microsoft-security-updates-february-2018-release/

2 users thanked author for this post.

AJNorth, MrBrian

Microfix wrote:

MS patch Tuesday list over at Martin Brinkmanns Ghacks..wow he is quick!

Perhaps he has a program that does this. There is programmatic access to this info.

• This reply was modified 8 months, 1 week ago by  MrBrian.

1 user thanked author for this post.

AJNorth

Regarding recommendations: Swedish cert.se recommends updating “vulnerable systems” ASAP.

Link in swedish but Google translate seems to work fine for this:
https://www.cert.se/2018/02/microsofts-sakerhetsuppdateringar-februari-2018

/D

All of the operating system patches on Window 7 SP1 64bit for me appear to have been pulled, except for Office 2010 patches, nothing shows up at all.

@pkcano My antivirus is set and REGKEY is set.  I already have the Meltdown and Spectre patches from January applied, and the February patches showed up initially.  However, they no longer showed up for a period of a day or so.  They are showing up again on my HP machine tonight, when I checked this morning they were not being offered. 

Likewise, with my Dell, Updates were checked at 7AM this morning, and no Window updates were offered, though they had been offered earlier in the week.  Tonight I checked for updates again and they have reappeared. Only Office 2010 updates were showing.  It may have been a temporary thing. 

I have over 35 years experience in IT; I follow everything closely here, and my post about them not showing up was just to provide some data in case others were seeing the same thing.

@pkcano, also, my processors are all Intel.

Regarding experts still recommending leaving Windows 10 Automatic Updates turned on:
There are quite a few experts who do recommend this, and they are not all “security experts”:

Don’t tell people to turn off Windows Update, just don’t
https://www.troyhunt.com/dont-tell-people-to-turn-off-windows-update-just-dont/
15 MAY 2017

Should Windows 10 Power Users Shut Off Windows Update?
https://www.extremetech.com/computing/255686-windows-10-power-users-shut-off-windows-update
September 13, 2017
“Let me be clear: It is *generally* a bad idea to turn off security updates.”

How to Turn Off Automatic Windows 10 Updates?
https://ugetfix.com/ask/how-to-turn-off-automatic-windows-10-updates/
2017-04-17 (April 17, 2017)
“…IT specialists highly recommend keeping automatic Windows Update service enabled,…”

Windows 10: The Missing Manual
By David Pogue
p. 498:
“But there’s a pursuasive argument for leaving automatic updates turned on. Microsoft and other security researchers constantly find new security holes — and as soon as they’re found, Microsoft rushes a new patch out the door to fix it.” (He goes on to warn that when Microsoft issues a patch, it alerts hackers to a security flaw, and then the hackers begin to exploit it on unpatched PCs.)

How to use Automatic Updates in Windows 10
http://www.diamondbyte.co.uk/Blogs/files/fa117ef40cbe115972f0b33fd9dfdf6e-47.html
Sept. 14, 2017

For the vast majority of home users, this type of advice is good. They don’t want to or can’t be trusted to keep watching out for when it’s safe to patch, and most would mess up their systems fiercely if they so much as opened Regedit or Group Policies (which they as Home Users don’t have anyway). We are not talking about power users or advanced hobbyists like those of us who frequent this blog/forum. Just average Joes and Janes who want to turn on the PC and get on with their work or play.

On the other hand, I would recommend to anyone who wants to just get on with our play to use a Chromebook, and those with serious work to do, get into Linux ASAP, as in yesterday.

• This reply was modified 8 months ago by  rc primak.